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(57) A system is provided for verifying the safety of 
a program down-loaded to a device only once, the safety 
of the software thereafter being thereby ensured. The 
system includes a safe storage (212) for storing only a 



program for which safety has been ensured by a safety 
verifier (211 ), and for ensuring that the program cannot 
be stored by another means or rewritten. An executer 
(213) reads the program from the safe storage (21 2) for 
execution. 
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Description 

BACKGROUND OF THE INVENTION 

1 . Field of the Invention: 

[0001] The present invention relates to a system and 
a method for verifying and ensuring safety of software, 
and more particularly to a system and a method for en- 
suring safety of software by a single verification of the 
safety of the software. 

2. Description the Related Art: 

[0002] When a program Is downloaded for execution 
to a device through a communication path including a 
wire or wireless network, it is necessary to make sure 
that the software Is 'safe*, I.e. that the program does not 
pose a risk for the device or a user of the device. The 
risk referred to herein specifically means execution of 
instructions which are essentially not permitted for the 
program, occurrence of errors or exceptions resulting 
from the execution of the program, unauthorized access 
to information in the device for which access is essen- 
tially not permitted, influence on execution of another 
program in the device, and similar matters. 
[0003] An example of methods of verifying safety of 
software in the prior art is described in Japanese Patent 
Laid-open Publication No. 10-11281. As shown In Fig. 
1 . the prior art method of verifying safety of software is 
perfonned in a system mainly comprising Network Com- 
munication Manager 120, Architecture Neutral Program 
Executer 122, Architecture Neutral Program Integrity 
Verifier 126, Trusted Object Class Repository 140, and 
Untrusted Object Class Repository 142. 
[0004] The prior art method of verifying safety of soft- 
ware perfomried with the system of such a configuration 
operates as follows. 

[0005] Specifically, an Architecture Neutral Program 
downloaded using Network Communication Manager 
1 20 is stored by Untrusted Object Class Repository 1 42. 
Each time Architecture Neutral Program Executer 1 22 
is to load an object class stored by Untrusted Object 
Class Repository 142, it verifies Its safety using Archi- 
tecture Neutral Program Integrity Verifier 126, and only 
if all verifications are passed, it loads the object class. 
[0006] Small devices such as PDAs or cellular phones 
have problems such as those below in perfomriing the 
aforementioned verification of safety, since severe lim- 
itations are imposed on the performance and memory 
capacity. 

[0007] A first problem is the long amount of time taken 
for verifying safety. This Is because PDAs or cellular 
phones do not have a high ability to execute software, 
while verification of safety of software requires tracking 
and examination of a state in which the software is ex- 
ecuted, and thus the verification takes a time equal to 
or longer than the time taken for the execution of the 



software. 

[0008] A second problem is a long time taken for the 
start-up of software. This is because software can be 
started up only after its safety Is verified since verifica- 
5 tion of safety is perfonned each time the software is ex- 
ecuted, and such verification takes a long time. 
[0009] A third problem is high power consumption. 
This Is because verification of safety is complicated 
processing. 

10 [0010] A fourth problem Is the large memory capacity 
required for a device. This is because the memory ca- 
pacity required is the sum of that required for executing 
software and that required for verifying the safety of the 
software. 

15 

SUMMARY OF THE INVENTION 

[0011] It Is an object of the preferred embodiments of 
the present invention to provide a method of verifying 

20 and ensuring safety of software which requires only a 
single verification of software safety. 
[0012] It is another object of the preferred embodi- 
ments of the present invention to provide a method of 
verifying and ensuring safety of software which can re- 

25 duce time taken for verification of software and can en- 
sure safety. 

[0013] It is a further object of the preferred embodi- 
ments of the present invention to provide a method of 
verifying and ensuring safety of software which can re- 
30 duce memory capacity required for verification of soft- 
ware. 

[0014] A method of verifying and ensuring safety of 
software according to a first aspect of the present inven- 
tion is performed in a system comprising a safety verifier 
55 and a safe storage, and operates to store in the safe 
storage and to execute only a program for which safety 
is ensured by the safety verifier. 

[0015] A method of verifying and ensuring safety of 
software according to a second aspect of the present 
40 invention is perfomried in a system comprising a safe 
storage and a safety verifier, and operates such that, the 
safe storage stores whether each program has been 
verified and the result of the verification of a program if 
it has been verified, and if a program has not been ver- 
ified at the execution, the program is first verified, and 
then executed only if the safety thereof is ensured. 

BRIEF DESCRIPTION OF THE DRAWINGS 

50 [0016] Preferred features of the present invention will 
now be described, by way of example only, with refer- 
ence to the accompanying drawings, in which:- 

Fig. 1 is a block diagram showing a configuration of 
55 a system for a prior art method of verifying safety of 
software; 

Fig. 2 is a block diagram showing a schematic con- 
figuration of a system in an embodiment of a prior 
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art method of verifying safety of software; 



Fig. 3 is a block diagram showing a schematic con- 
figuration of a system for a method of verifying and 
ensuring safety of software In a first embodiment of 
the present invention; 5 
Fig. 4 is a flow chart showing the operations of the 
method of verifying and ensuring safety of software 
in the first embodiment of the present invention; 
Fig. 5 Is a block diagram showing a schematic con- 
figuration of a system for a method of verifying and io 
ensuring safety of software in a second embodi- 
ment of the present invention; and 
Fig. 6 is a flow chart showing the operations of the 
method of verifying and ensuring safety of software 
in the second embodiment of the present invention. ^5 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

[0017] Next, preferred embodiments of the present in- 20 
vention are described in detail with reference to the 
drawings. Referring to Fig. 3, there Is shown a system 
for verifying and ensuring safety of software in a first 
embodiment of the present invention which comphses 
downloadable program 200 and program executor 210. 25 
program executer 210 comprises safety verifier 211, 
safe storage 212, and executer 213. 
[001 8] Downloadable program 200 is downloaded for 
execution to program executer 210 through a commu- 
nication path including a wire or wireless network. 30 
[001 9] Safety verifier 21 1 verifies the safety of the pro- 
gram and makes sure that no risk Is posed for program 
executer 21 0 or a user of program executer 210. 
[0020] The program for which safety is ensured is 
stored in safe storage 212. In the system for verifying 35 
and ensuring safety of software of the present invention, 
only the program for which safety is ensured by safety 
verifier 211 is stored in safe storage 212, ensuring that 
a program cannot otherwise be newly stored or a stored 
program cannot be rewritten. 40 
[0021] Executer 213 reads program 200 from safe 
storage 212 for execution. 

[0022] Next, description is made of the entire opera- 
tion of a method of verifying and ensuring safety of soft- 
ware in the first embodiment of the present invention. ^5 
with reference to a block diagram in Fig. 3 and a flow 
chart in Fig. 4. 

[0023] First, downloadable program 200 is download- 
ed to program executer 210 through a communication 
"patR"lnclucllng a wire or wireless nefi«orir(stepA1"lrrFigr 



4). 

[0024] Next, safety verifier 211 verifies the safety of 
program 200 (step A2 in Fig. 4). In the verification of the 
safety, checks are made to determine whether the pro- 
gram is tampered with, whether the program makes ac- 
cess beyond the area which is essentially permitted 
therefor, whether program executor 210 can allocate 
memory required for executing the program, and similar 
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matters. 

""[0'0'25] Specif lcallyniTe^Tjflcatiorr^f"safet^ 
formed by checking each executable instruction for all 
possible combinations of processing paths (if branches 
or exception processing are present in turn from the be- 
ginning of the program). For example, for a load instruc- 
tion, a check is made to determine whether an address 
from which the load is made is an unauthorized address. 
For a storage instruction, checks are made to determine 
whether an address to which storage is made Is an un- 
authorized address and whether types match when 
loading and addressing are performed. For a jump In- 
struction, checks are made to detemine whether a des- 
tination of the jump exists, or whether the jump is being 
made to a location which is not included in the program. 
For an object-oriented program, checks are also made 
for definition of a class and to determine whether access 
to a member is correctly made. The individual checks 
are performed using known methods. 
[0026] If safety verifier 211 determines that program 
200 is not safe in one or more of the checks, program 
200 is discarded and the processing Is terminated (step 
A3 in Fig. 4). 

[0027] If safety verifier 211 determines that program 
200 is safe In ail of the checks, program 200 Is stored 
in safe storage 212 (step A4 In Fig. 4). 
[0028] Safety verifier 211 ensures that program 200 
is safe and that it is not rewritten by safe storage 212 
thereafter Thus, executer 213 read program 200 from 
safe storage 212 (step A5 In Fig. 4), and executes it as 
it is (step A6 in Fig. 4). 

[0029] In this embodiment, only a program for which 

safety has been ensured is stored in the storage which 
has a function for ensuring'safety. Therefore, it Is not 
necessary to verify safety each time the program stored 
in the storage with the safety-ensuring function is exe- 
cuted, and safety can be ensured by verrfcatlon thereof 
only once. 

[0030] Next, description is made for a system for ver- 
ifying and ensuring safety of software In a second em- 
bodiment of the present invention, with reference to the 
drawings. Referring to Fig. 5, there Is shown the system 
in the second embodiment of the present invention 
which comprises downloadable program 300 and pro- 
gram executer 310. Program executer 310 comprises 
safe storage 31 1 , executer 31 2, and safety verifier 313. 
[0031 ] Downloadable program 300 Is downloaded for 
execution to program executer 310 through a commu- 
nication path including a wire or wireless network. 
~[0032] Safe~stofage~311~stores tlie^ownloacleci"pf6^ 
gram as one for which safety has not been verified. Only 
when the program downloaded In safe storage 311 and 
stored as one for which safety has not been verified Is 
read and its safety is ensured by executer 31 2 and safe- 
ty verifier 31 3, is the program stored in safe storage 311 
as one for which safety has been verified. Thus, safe 
storage 311 stores programs marked as ones for which 
safety has not been verified, programs marked as ones 
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for which safety has been verified, and programs 
marked as ones which are not safe. The programs 
marked as ones which are not safe may be discarded. 
The system for verifying and ensuring safety of software 
in the second embodiment ensures that without such 5 
verification a program cannot be newly stored in safe 
storage 311 and that a program there cannot be rewrit- 
ten. 

[0033] Executor 312 reads program 300 from safe 
storage 311, and stops execution thereof when read io 
program 300 is marked as one which is not safe, or ver- 
ifies the safety of program 300 using safety verifier 313 
when the safety has not been verified. Only if the safety 
has been ensured, does it store program 300 in safe 
storage 311 as one which has been verified, and exe- i5 
cutes that program 300. When the read program is a 
program for which the safety has been verified, It exe- 
cutes the program as it is. 

[0034] Safely verifier 31 3 verifies the safety of a pro- 
gram to make sure that no risk is posed for program ex- 20 
ecuter 31 0 or a user of program executer 310. 
[0035] Next, description is made for the entire opera- 
tion of a method of verifying and ensuring safety of soft- 
ware in the second embodiment of the present Invention 
with reference to a block diagram in Fig. 5 and a flow 25 
chart in Fig. 6. 

[0036] First, downloadable program 300 is download- 
ed to program executer 310 through a communication 
path including a wire or wireless network (step A1 in Fig. 
6). stored in safe storage 311 (step A4 in Fig. 6). and 30 
marked as one for which safety has not been verified 
(step B1 in Fig. 6). Specifically, program executer 310 
includes, for example, a table for recording the down- 
loaded program and whether the safety of the program 
has been verified, and writes a value which indicates 35 
that the safety has not been verified into the associated 
field in the table. 

[0037] Executor 312 reads program 300 from safe 
storage 31 1 (step A5 in Fig. 6), and checks whether its 
safety has been verified (step B2 in Fig. 6). 40 
[0038] If the safety has been verified, executer 312 
executes program 300 as it is (step A6 in Fig. 6). 
[0039] If the safety has not been verified, safety veri- 
fier 313 verifies the safety of program 300 (step A2 in 
Fig. 6). In the verification of the safety, checks are made 45 
to determine whether the program has been tampered 
with, whether the program makes access beyond the 
area which is essentially pemnitted therefor, whether 
program executer 310 can allocate memory required for 
executing the program, and similar matters. Specific so 
methods therefor are the same as those in the first em- 
bodiment. 

[0040] If safety verifier 31 3 detennines that program 
300 is not safe in one or more of the checks, program 
300 is marked as one which is not safe (step B4 in Fig 55 

6). 

[0041] If safety verifier 313 detennines that program 
300 is safe in all of the checks, program 300 is marked 



as a safe program (step B3 in Fig. 6). Then, executer 
312 executes program 300 (step A6 in Fig. 6). The pro- 
gram marked as one which is not safe and the program 
marked as one which is safe are stored in safe storage 
311 with respective marks thereon. The program 
marked as one which is not safe may be discarded. 
[0042] A first effect of the present invention is to allow 
the execution of a program of interest without further 
verifications being needed after its safety is verified only 
once. This is because the safe storage prevents unau- 
thorized addition of a program and rewriting of a pro- 
gram. 

[0043] A second effect of the present invention is to 
allow reduced power consumption of a device. This is 
because processing of safety verification need be per- 
formed only once for one program. 
[0044] A third effect of the present invention is to allow 
a significant improvement in performance of a program. 
This is because complicated processing of safely veri- 
fication need not be perfomned again for each execution 
of a program once it has been verified, since the storage 
ensures the safety of such a program. 
[0045] A fourth effect of the present invention is to re- 
duce the memory capacity required for a device. This is 
because verification and execution separately per- 
formed in accordance with the method of the present 
invention require only a larger one of the memory ca- 
pacity required for verification and the memory capacity 
required for execution, while verification at the time of 
execution requires the sum of the memory capacity re- 
quired for execution and the memory capacity required 
for execution and the memory capacity required for ver- 
ification. 

[0046] It is to be understood, however, that although 
the characteristics and advantages of the present inven- 
tion have been set forth in the foregoing description, the 
disclosure is illustrative only, and changes may be made 
in the arrangement of the parts within the scope of the 
appended claims. 

[0047] Each feature disclosed in this specification 
(which tenn includes the claims) and/or shown in the 
drawings may be incorporated in the invention inde- 
pendently of other disclosed and/or illustrated features. 
[0048] The text of the abstract filed herewith is repeat- 
ed here as part of the specification. 
[0049] A system is provided for verifying the safety of 
a program down-loaded to a device only once, the safety 
of the software thereafter being thereby ensured. The 
system includes a safe storage for storing only a pro- 
gram for which safety has been ensured by a safety ver- 
ifier, and for ensuring that the program cannot be stored 
by another means or rewritten. An executor reads the 
program from the safe storage for execution. 



Claims 

1. A system for verifying and ensuring safety of soft- 
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ware, comprising: 



safety-verifying means for verifying safety of a 
program; and, 

safe-storage means for storing for execution 5 
only a program for which safety is verified by 
said safety-verifying means, and for preventing 
such stored program from being rewritten or for 
preventing storing for execution of a program 
not so verified. io 



2. A system for verifying and ensuring safety of soft- 
ware as in claim 1, wherein the safety-verifying 
means marks with a mark a program whose safety 
has been so verified, and wherein the safe-storage >5 
means prevents such mark being rewritten or pre- 
vents such a mark being applied to a program 
whose safety has not been verified. 



3. A method of verifying and ensuring safety of soft- 20 
ware, comprising the steps of: 

storing for execution a program verified as safe 
in a safe storage; and, 

preventing the program from being rewritten, or 25 
preventing an unverified program being stored 
for execution in the safe storage. 

4. A method as in claim 3, wherein the step of storing 

the program in the safe storage involves the steps 30 
of determining whether safety of the program has 
been verified, and storing only a program whose 
safety has been so verified. 

5. A method as in claim 3, wherein the step of storing 35 
the program in the safe storage involves the steps 

of storing the program in the safe storage before 
verifying its safety, and subsequently marking the 
program as a safe program if its safety is verified 
and thereafter storing the program for execution. 40 
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Fig. 2 Prior Art 
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